20 June 2008

The moral debate

I read an article on news24.com that says:
One in three information technology professionals abuses administrative passwords to access confidential data such as colleagues' salary details, personal e-mails or board-meeting minutes, according to a survey.
http://www.news24.com/News24/Technology/News/0,,2-13-1443_2343432,00.html
This is a pretty concerning statistic. We (Netowrk Admins) all know that we can access anything in our organisation, but it is our moral responsability not to do so. I know that I can get my hands on any information that I want, any time, from anywhere, but I choose not to as it is not right.
The problem with network administrators is that their role is often missunderstood and that management does not have a clue that they have access to this information. The other problem is that IT administrators are also mostly the implementers of the file security on the networks and that we hold the Administrator rights which allow us to access any information.
It is a double edged sword, we need access to the files to assist when something goes wrong, but we should not be able to see the contents of certain files.

19 June 2008

Hack my Coffee?




This could be the funniest security vulnerability ever! I read about how a new coffee machine that can be hooked up to your computer has a buffer overflow vulnerability that can allow a hacker to take control of the application that controls the coffee machine on Trend Micro's Website.
Imagine waking up in the morning to the horror of getting black coffee without out sugar when you programmed your machine for white coffee with 2 sugars!

Oh what a crazy world we live in! :P



Photo courtesy PDPhoto.org

17 June 2008

Facebook Phishing

I got an email from facebook that looked like a legit notification that one of my buddies have written on my wall. Except it was written in broken english:

"hello , howdy?? lisen i got a new friend here..shex kinda new here..maybe you can give her a lil tym so she can enjoy here?? not forcin u but u can chk out =)
It was followed by the following link:
http://www.facebook.com.profile.id.aymacc.2810ly6l.dortos.net/facebook/index.php?id=5aaz6677&auth=j5xp2&cyua=hwy9e1l821
It looks pretty legit at first glace, but if you take a close look you will notice that the domain is actially for dortos.net.
Whois information from whois.net

Now the thing that I found wierd was that when I logged into my profile on facebook I still got a notification about the wall post, but there was no post on my wall.

I cautiously opened the link to the fake profile and Firefox 3 Beta blocked it. (See screenshot)

I then decided to open the page up in IE8 and guess what. It looks identical to the facebook login screen. Except that it aint. (screenshot below)


This is a typical phishing attempt. I imagine that my buddy who sent the origional wall post recieved the same thing and his account was compromised. My personal information was then obtained through his profile and a wallpost was placed on my wall.

I am not sure exactly what is going on, but I recon there will be some information once the security researches around the world get a similar "phantom wall post".

I guess this is another reason to upgrade to Firefox 3 :P

13 June 2008

Ransomware

Ransomware seems to be a relativly old form of malware that is beginning to resurface according to Trend Micro. This form of malware takes certain files on your computer and encrypts them. You will not be able to access the files unless you pay the malware writer a fee for the program to decrypt the files. You can find more information about this malware on Wikipedia.

I think that this type of malware is particulary destructive / disruptive and could cause massive problems for computer administrators in future if this type of threat increases.

10 June 2008

More Officescan Woes


Well now, lets get back to the Trend Micro Officescan issue AGAIN!
After downloading SP1 for officescan, which failed to install I eventually got it up and running again by fully un-installing the Officescan server and then IIS. Re-installing both and applying all the pathes for Officescan and then installing Service Pack 1.
All seemed well for about 12 hours. I came back this morning and tried to check on my client machines and do some routine maintenence when all of a sudden the web interface started to hang up again.

I went into task manager to see what was going on and noticed that there where a huge amount of processes running for the Web Interface. There where mostly the following apps running in the background:
  • cgiOnStart.exe
  • cgiSummary.exe
  • cgiChkMasterPwd.exe
  • cgiRqlNl.exe
  • cgiClientAdm.exe
So on to Process Explorer to see more of what is going on ..... I noticed that all of these applications are running under w3wp.exe, which is IIS. So these are all CGI applications running under IIS for the Trend Micro Officescan web constol.
I managed to get back into the web console by restarting IIS and then restarting the office scan master service. You need to do this in this order to first close all the cgi*.exe applications running in the background under IIS. This will allow you to stop the officescan master service. If you just try and restart the officescan master service without restarting IIS the service will say "stopping" infinitly.

I am back in the web console now, but there are no hosts shown at all in the console. ARG ! I know that a re-boot will remedy this, but I can't restart until later when there are less users on this machine. Trend is really starting to be a pain in the butt!